Summary
Move cart behavior into the Node.js + Express backend and make sure users can access only their own PostgreSQL cart data.
Tasks
- Implement list, add, update, and delete cart item endpoints
- Persist cart data through PostgreSQL-compatible queries
- Preserve the cart data shape the current frontend expects where practical
- Enforce per-user ownership checks on cart operations
- Remove any path or query behavior that can leak all cart rows
- Add API test coverage for allowed and blocked cart access
Done criteria
- An authenticated user can view only their own cart
- Add, quantity update, and delete actions work end to end
- Cart data persists correctly in PostgreSQL
- The previous cart path mismatch and global cart exposure risk are removed
Reference
Summary
Move cart behavior into the Node.js + Express backend and make sure users can access only their own PostgreSQL cart data.
Tasks
Done criteria
Reference
GROUP/BookRunner API Contract.md